Outsourcing and cloud computing service engagements are fraught with financial, security and other risks, especially if dealing with an unproven service provider. Obtaining a third party assurance report with respect to a service provider’s internal controls can provide some comfort. However, customers are often confused about what kind of assurance report they should obtain.
Canadian Standard on Assurance Engagements 3416 (CSAE 3416), Reporting on Controls at a Service Organization, is the Canadian accounting standard for reviewing and reporting on controls at a service organization. It is issued by the Auditing and Assurance Standards Board (AASB) and is equivalent to the Statement on Standards for Attestation Engagements (SSAE) No. 16, which is the standard in the United States, and is substantially similar to the International Standard on Assurance Engagements (ISAE) No. 3402.
SOC 1, 2 and 3
It is important to note that CSAE 3416 is not a report itself. A report under the CSAE 3416 standards is a Service Organization Control (SOC) 1 report, which is the successor to the Canadian Institute of Chartered Accountants (CICA), Section 5970 report. SOC 1 reports have a limited purpose. They only address internal controls over financial reporting.
There are two other categories of SOC reports available, SOC 2 and SOC 3, which are much different in scope than SOC 1 reports. They report on controls related to security, availability, processing integrity, confidentiality and/or privacy based on broad statements of objectives called “trust services principles”.
A SOC 2 report is a “restricted report” for the use a specific audience, such as a particular customer of a service provider.
In contrast, a SOC 3 report is intended for general release (e.g. posted on a service provider’s website with a SysTrust seal or shared with prospective customers generally) and is a short form report that does not contain the same level of detail as a SOC 2 report. Unlike a SOC 2 report, a SOC 3 report does not contain a description of the service provider’s system of controls prepared by its management, nor does it include any auditor’s tests or test results. These elements are typically needed for a customer to determine how it may be affected by a service provider’s controls.
Type I and Type II SOC Reports
There are two types of SOC reports. Type I reports evaluate controls at a point in time while Type II reports evaluate controls over a period of time. Type II reports include the examination and confirmation steps involved in a Type I examination plus an evaluation of the effectiveness of the controls for a period of at least six calendar months.
When to obtain a SOC Report
Generally, a third party assurance report is needed when the services provided by the third party service provider have a material impact on a customer’s internal controls (in particular, internal controls over financial reporting (ICFR)). SOC reports can be very helpful when conducting due diligence on prospective service providers and for monitoring the risk of an organization’s outsourcing arrangements on an ongoing basis.
What type of SOC Report to Obtain
Customers that have their financial statements audited and outsource any key processes that affect their financial statements will likely require a CSAE 3416 (or SSAE 16) audit and SOC 1 report to ensure compliance with auditing requirements and securities laws.
Since SOC 1 reports only address internal controls over financial reporting, they may not be adequate for many customers of outsourcing and cloud services. Customers should, in addition to requiring the service provider to deliver an annual CSAE 3416 SOC 1 Type II report, consider requiring the service provider to deliver an annual SOC 2 Type II report where there are any concerns about personal and confidential information protection or system security, processing integrity or availability. This is often the case with SaaS, data centre and managed services engagements.
If a service provider already makes a SOC 3 report generally available to its customers or responsibility for the cost of a SOC 2 report becomes a heated issue, then a SOC 3 report may be an adequate alternative to a SOC 2 report.